I am trying to secure a dask distributed system using TLS but the scheduler throws "TypeError: TLS expects a 'ssl_context' argument of type ssl.SSLContext (perhaps check your TLS configuration?) Instead got None" when I run dask-ssh over some local to the network machines.
This is for a dask distributed system that is created using dask-ssh to initialize it. All of the computers in the hostfile.txt are local to the network and file server. I use the same 2 files created with the openssl tool for all machines. Using default TCP there are no issues. I think I am either making the TLS certificates incorrectly, or assigning them in the Dask config incorrectly. I have done a fair amount of googling of this error and I have no idea what could be the issue
Here is how I am generating the certificates:
openssl req -newkey rsa:4096 -nodes -sha256 -x509 -days 3650 -nodes -out /MyFakeDirectory/certs/myca.pem -keyout /MyFakeDirectory/private/mykey.pem
Leaving every asked question after that blank.
Here are all the relevant assignments I have inside of my dask config located at: .config/dask/distributed:
default-scheme: tls
.
.
.
require-encryption: True
tls:
ca-file: /MyFakeDirectory/Certs/certs/myca.pem
scheduler:
key: /MyFakeDirectory/Certs/private/mykey.pem
cert: /MyFakeDirectory/Certs/certs/myca.pem
worker:
key: /MyFakeDirectory/Certs/private/mykey.pem
cert: /MyFakeDirectory/Certs/certs/myca.pem
client:
key: /MyFakeDirectory/Certs/private/mykey.pem
cert: /MyFakeDirectory/Certs/certs/myca.pem
ciphers:
ECDHE-ECDSA-AES128-GCM-SHA256
Related
I tried to run my Flask Application on localhost and as well as on my local network's IP address and it ran very well (without SSL).
However, when I tried to run the application with SSL then the web browsers didn't load the page and gives the error:
Your connection is not private : NET::ERR_CERT_INVALID
Methods I have tried but failed:
1. Using Self-signed .pem certificate (Subject Type=CA)
With generated certificate .pem, cert key, and configuring my flask app use it.
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
app.run(
host='192.168.1.127', port="8282", debug=True,
ssl_context=('cert.pem', 'key.pem'),
)
2. Using Self-signed .crt certificate
With generated certificate .crt, cert key, and configuring my flask app use it.
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
app.run(
host='192.168.1.127', port="8282", debug=True,
ssl_context=('server.crt', 'server.key')
)
3. Run Flask with ssl_context='adhoc'
```
app.run(
host='192.168.1.127', port="8282", debug=True,
ssl_context='adhoc'
)
```
I am trying to build a system where multiple raspberry pi are located at different rooms of the house but they are connected to the same home network.
There is the main computer on the same network which acts as a Controller and to implement the system successfully I need to make requests from the controller system to all the Raspberry PI over HTTPS.
Its working.
The message connection not private is misleading, what is actually happening is that the connection is encrypted with a certificate that is not in your chain of trust. Even if it was, I doubt the browser would accept a certificate for an IP address.
In any case, your connection is indeed encrypted.
You don't shoe the additional details. But you can try to add the generated certificate to your system's chain of trust.
I'm testing Node.js application over https connection where I created certificates for localhost,
Certificate creation,
$ openssl genrsa -out localhost.key 2048
$ openssl req -new -x509 -key localhost.key -out localhost.cert -days 3650 -subj /CN=localhost
Use this in server,
var options = {
key: fs.readFileSync('./localhost.key'),
cert: fs.readFileSync('./localhost.cert'),
};
var http2 = require('http2');
var app = express();
const server = http2.createSecureServer( options, app);
server.listen({ host: app_host, port: port});
Start the node.js server as,
$ node server.js
Tested using simple curl command as,
$ curl -k https://localhost:9000/getcpuinfo
{"hw": ...}
"-k" option is to ignote certificate validation step.
But if I try to use pythons 'requests' module as shown below the request fails,
$ python
import requests
requests.get("https://localhost:9000/getcpuinfo")
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
So I used 'verify' option to make the request, it still fails.
requests.get("https://localhost:9000/getcpuinfo", verify=False)
requests.exceptions.SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
What am I doing wrong? How do I workaround this issue using 'requests' module'? Shouldn't 'verify' prevent the check?
You cant generate https certificates over localhost.
The Python requests module does not connect to HTTP/2 servers, it only supports up to HTTP/1.1:
Requests allows you to send organic, grass-fed HTTP/1.1 requests, without the need for manual labor. There's no need to manually add query strings to your URLs, or to form-encode your POST data. Keep-alive and HTTP connection pooling are 100% automatic, thanks to urllib3.
If you compile curl with HTTP/2 support, then it will work. The curl packages pre-installed on most Linux distros and MacOS aren't and probably won't work.
Since HTTP/2 support in Node is experimental and client support is pretty bad outside of modern web browsers, I would not suggest you use it at this time unless you're specifically targeting web browsers or want to use a HTTP/2-capable web server that can support both HTTP/2 and HTTPS.
If you do need to connect to HTTP/2 servers from Python, there is the (also unstable) hyper module that does connect to a node.js HTTP/2 server. It currently doesn't allow you to disable certificate verification, so it will not be a drop-in replacement for requests.
It seems that there is a utility as part of nghttp2 called 'h2load' which works out of box for both protocols (http/1 and http/2). Thanks for all the answers/hints.
https://nghttp2.org/documentation/h2load-howto.html#basic-usage
First of all let me to say my knowledge of ssl and criptography protocols is very limited. Please be patient if I say something blatantly wrong :-) . Feel free to correct me!
I'm building a custom web server to be deployed inside an isolated local network; this is how I run my service (Python code):
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain(certfile='mykey.crt', keyfile='mykey.key')
... client connects to https port 443 ...
ssl_sock = ssl_context.wrap_socket(sock, server_side=True)
This is how I generated mykey.crt and mykey.key files:
$ openssl genrsa -des3 -out mykey.orig.key 2048
$ openssl rsa -in mykey.orig.key -out mykey.key
$ openssl req -new -key mykey.key -out mykey.csr
$ openssl x509 -req -days 3650 -in mykey.csr -signkey mykey.key -out mykey.crt
So far so good, my webserver works very well. But I have go past the "not secure" warning that Firefox rightfully shove in my face.
I'd like to install my self-signed certificate in the few clients that are going access my web server in order to permanently avoid the warning.
I followed every single certificate installation guide I was able to find but I absolutely cannot get Firefox (and Chrome) accept my certificate. And I get no error message whatsoever from the browsers.
I think I'm missing something in the certificate generation commands.
Somebody could help me?
Thanks a lot!
self-signed certificate can uses only for tests. You have to get the certificate from an 'Accredited certification authority'
2) check please : self-signed certificate need to has next data:
URL, address,
name,
email
3) you should use a certificate signed by a CA
I've followed this link to build a simple file server with SSL.
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('localhost', 4443), BaseHTTPRequestHandler)
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="key.pem", certfile='cert.pem', server_side=True)
httpd.serve_forever()
I have created a certificate successfully, key.pem and cert.pem file paths are cool and I can start the server using python server.py. I am asked for a password, enter it, then it freezes for a bit and then it seems to run.
However, when I enter some URL such as https://localhost:4443/index.html I get 500 Unsupported method GET. Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation. Do I need to do something more to make my server serve the current directory? Until now I have just used python -m http.server 8000 (SimpleHTTPServer when on Mac.) I am using Python 3.
This is an will stay local so don't worry about the PEM files and the server script being exposed through it (if it worked!). I am also okay with the certificate being untrusted and instructed Chrome to visit the page anyway. I just need it to allow me to access camera without having to deploy my app somewhere with a legit cert.
From the docs:
class http.server.BaseHTTPRequestHandler(request, client_address, server)
This class is used to handle the HTTP requests that arrive at the server. By itself, it cannot respond to any actual HTTP requests; it must be subclassed to handle each request method (e.g. GET or POST).
Try using SimpleHTTPRequestHandler instead, eg,
httpd = socketserver.TCPServer(('localhost', 4443), SimpleHTTPRequestHandler)
I have set up a web2py environment on a linux server using the 'one step production deployment' descriped in the web2py document.
Now I can go to my website by typing my domain name into a web browser, except now it is untrusted by the browser.
Then I got a ssl certificate that I want to add to my server.
So my question is how to add ssl certificate after using the one step deployment?
I searched online, but most tutorial is to setup every thing from scratch.
If you look into the one-step-production-deployment script, you can see that it generated a self-signed cert:
echo "creating a self signed certificate"
echo "=================================="
openssl genrsa 1024 > /etc/apache2/ssl/self_signed.key
chmod 400 /etc/apache2/ssl/self_signed.key
openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/apache2/ssl/self_signed.key > /etc/apache2/ssl/self_signed.cert
openssl x509 -noout -fingerprint -text < /etc/apache2/ssl/self_signed.cert > /etc/apache2/ssl/self_signed.info
And let Apache use it:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/self_signed.cert
SSLCertificateKeyFile /etc/apache2/ssl/self_signed.key
# ...
So I think what you need to do is changing the path above to your new cert.